There is a heap-use-after-free in manager_clear_jobs_and_units

### systemd version the issue has been seen with

systemd-251.4-53.fc37.x86_64

### Used distribution

Fedora 37

### Linux kernel version used

Linux localhost.localdomain 5.19.7-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 5 15:09:01 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

### CPU architectures issue was seen on

x86_64

### Component

systemd

### Expected behaviour you didn't see

I have a script just like test below with special 'M-BM-' character in /etc/rc.d/init.d/test.  systemd will crash if  "Provides" and "Required-Start" have the same word even though it's not 'M-BM-'.
```
[root@localhost init.d]# cat -A test
#!/bin/bash$
$
### BEGIN INIT INFO$
# Provides:M-BM-  M-BM-  M-BM-  M-BM-  M-BM- test$
# Required-Start:M-BM-  M-BM- $remote_fs $network$
# Required-Stop:M-BM-  M-BM-  $remote_fs $network$
# Description:for test$
# Short-Description:Test$
### END INIT INFO$
$
case "$1" in$
    start)$
        sleep 1000 &$
        ;;$
    stop)$
        sleep 10 &$
        ;;$
    *)$
        echo "Usage: service test {start|stop|restart|status}"$
        ;;$
esac$

```

### Unexpected behaviour you saw

Systemd is killed by the SEGV signal.

### Steps to reproduce the problem

1. setenforce 0
2. put test script in /etc/rc.d/init.d/test with no 'M-BM-'
```
[root@localhost init.d]# pwd
/etc/rc.d/init.d
[root@localhost init.d]# cat test
#!/bin/bash

### BEGIN INIT INFO
# Provides:test1 test2 
# Required-Start: $remote_fs $network
#### Required-Start:test1 $remote_fs $network
# Required-Stop:test1 $remote_fs $network
# Description:Test
# Short-Description: Test
### END INIT INFO

case "$1" in
    start)
        sleep 1000 &
        ;;
    stop)
        sleep 10 &
        ;;
    *)
        echo "Usage: service test {start|stop|restart|status}"
        ;;
esac

```
3.chmod 777 test; systemctl daemon-reload;systemctl start test
4.change /etc/rc.d/init.d/test with '####' while test.service is running.
```
[root@localhost init.d]# cat test
#!/bin/bash

### BEGIN INIT INFO
# Provides:test1 test2 
#### Required-Start: $remote_fs $network
# Required-Start:test1 $remote_fs $network
# Required-Stop:test1 $remote_fs $network
# Description:Test
# Short-Description: Test
### END INIT INFO

case "$1" in
    start)
        sleep 1000 &
        ;;
    stop)
        sleep 10 &
        ;;
    *)
        echo "Usage: service test {start|stop|restart|status}"
        ;;
esac
```
5. run
```
while true;do systemctl daemon-reload;done
```

### Additional program output to the terminal or log subsystem illustrating the issue

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

There is a heap-use-after-free in manager_clear_jobs_and_units #24990

systemd version the issue has been seen with

Used distribution

Linux kernel version used

CPU architectures issue was seen on

Component

Expected behaviour you didn't see

Unexpected behaviour you saw

Steps to reproduce the problem

Additional program output to the terminal or log subsystem illustrating the issue

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

There is a heap-use-after-free in manager_clear_jobs_and_units #24990

Description

systemd version the issue has been seen with

Used distribution

Linux kernel version used

CPU architectures issue was seen on

Component

Expected behaviour you didn't see

Unexpected behaviour you saw

Steps to reproduce the problem

Additional program output to the terminal or log subsystem illustrating the issue

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions